From f94c5331d1b753ebb1f049222c3c7d486fcbc08f Mon Sep 17 00:00:00 2001
From: "Nicolas B. Pierron" <nicolas.b.pierron@mozilla.com>
Date: Tue, 12 May 2015 11:26:52 +0200
Subject: [PATCH] Bug 1154971 - ValueNumbering: Skip finding the leader if the
 simplified instruction existed before the simplification. r=sunfish

---
 js/src/jit-test/tests/ion/bug1154971.js | 10 ++++++++++
 js/src/jit/MIR.cpp                      |  6 ++----
 js/src/jit/ValueNumbering.cpp           |  9 ++++++++-
 3 files changed, 20 insertions(+), 5 deletions(-)
 create mode 100644 js/src/jit-test/tests/ion/bug1154971.js

diff --git a/js/src/jit-test/tests/ion/bug1154971.js b/js/src/jit-test/tests/ion/bug1154971.js
new file mode 100644
index 00000000000..ec49a88fcd0
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1154971.js
@@ -0,0 +1,10 @@
+
+
+function f(x, y) {
+    return Math.imul(0, Math.imul(y | 0, x >> 0))
+}
+for (var i = 0; i < 2; i++) {
+    try {
+        (f(1 ? 0 : undefined))()
+    } catch (e) {}
+}
diff --git a/js/src/jit/MIR.cpp b/js/src/jit/MIR.cpp
index 071733bd72f..7465e40bad8 100644
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@@ -287,7 +287,6 @@ MInstruction::foldsToStoredValue(TempAllocator& alloc, MDefinition* loaded)
 
         MOZ_ASSERT(loaded->type() < MIRType_Value);
         MBox* box = MBox::New(alloc, loaded);
-        block()->insertBefore(this, box);
         loaded = box;
     }
 
@@ -2316,7 +2315,6 @@ MMinMax::foldsTo(TempAllocator& alloc)
                 MLimitedTruncate::New(alloc, operand->getOperand(0), MDefinition::NoTruncate);
             block()->insertBefore(this, limit);
             MToDouble* toDouble = MToDouble::New(alloc, limit);
-            block()->insertBefore(this, toDouble);
             return toDouble;
         }
 
@@ -2326,7 +2324,6 @@ MMinMax::foldsTo(TempAllocator& alloc)
                 MLimitedTruncate::New(alloc, operand->getOperand(0), MDefinition::NoTruncate);
             block()->insertBefore(this, limit);
             MToDouble* toDouble = MToDouble::New(alloc, limit);
-            block()->insertBefore(this, toDouble);
             return toDouble;
         }
     }
@@ -4669,7 +4666,8 @@ MTableSwitch::foldsTo(TempAllocator& alloc)
 }
 
 MDefinition*
-MArrayJoin::foldsTo(TempAllocator& alloc) {
+MArrayJoin::foldsTo(TempAllocator& alloc)
+{
     // :TODO: Enable this optimization after fixing Bug 977966 test cases.
     return this;
 
diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
index eb367e132ef..bad38b33358 100644
--- a/js/src/jit/ValueNumbering.cpp
+++ b/js/src/jit/ValueNumbering.cpp
@@ -756,8 +756,10 @@ ValueNumberer::visitDefinition(MDefinition* def)
         if (sim == nullptr)
             return false;
 
+        bool isNewInstruction = sim->block() == nullptr;
+
         // If |sim| doesn't belong to a block, insert it next to |def|.
-        if (sim->block() == nullptr)
+        if (isNewInstruction)
             def->block()->insertAfter(def->toInstruction(), sim->toInstruction());
 
 #ifdef DEBUG
@@ -783,6 +785,11 @@ ValueNumberer::visitDefinition(MDefinition* def)
 
         // Otherwise, procede to optimize with |sim| in place of |def|.
         def = sim;
+
+        // If the simplified instruction was already part of the graph, then we
+        // probably already visited and optimized this instruction.
+        if (!isNewInstruction)
+            return true;
     }
 
     // Now that foldsTo is done, re-enable the original dependency. Even though